Security (required)
Every SOC 2 report includes the Security category — access control, change management, monitoring, and incident response. This is the core every buyer asks about.
Learn · SOC 2
What is SOC 2?
SOC 2 is an independent attestation that your service organization protects customer data using the AICPA Trust Services Criteria. Enterprise buyers treat it as table stakes — especially for B2B SaaS and cloud vendors.
The basics
Trust Services Criteria, not a checkbox list.
Optional categories
Availability, confidentiality, processing integrity, and privacy can be added based on your product and contracts. Most SaaS vendors start with Security plus Availability or Confidentiality.
Independent CPA firm
A licensed auditor issues the report after reviewing your controls and evidence. You do not “get certified” — you receive an attestation report you share under NDA or via a trust center.
Points of focus
Under each Trust Services Category control, the AICPA defines implementation criteria (points of focus). Auditors expect you to assess and document each one — not just the parent control.
Type I vs Type II
Design at a point in time, or effectiveness over time.
Type I reports on whether controls are suitably designed as of a specific date. It is useful early in a program or for a first buyer conversation, but most enterprise procurement teams ask for Type II.
Type II tests operating effectiveness over a review period — typically six to twelve months. The auditor samples evidence across that window: access reviews, change tickets, monitoring alerts, and policy acknowledgments must hold up under fieldwork.
- Plan integrations and monitoring before the observation period starts — gaps discovered mid-period are expensive
- Keep evidence fresh: stale screenshots and one-off exports fail sampling
- Align PBC (provided-by-client) lists early so auditors see lineage, not scavenger hunts
Who needs it
Common triggers for a SOC 2 program.
01
Enterprise sales
Security questionnaires and vendor reviews ask for SOC 2 before signature or renewal.
02
Series A–C fundraising
Investors and boards expect a credible security posture story with third-party attestation.
03
Regulated data
Handling customer PII, PHI, or payment data increases scrutiny — SOC 2 is often the first formal program.
FAQ
Common questions
What is SOC 2?
SOC 2 is an attestation report from an independent CPA firm that evaluates how a service organization protects customer data using the AICPA Trust Services Criteria — security plus optional availability, confidentiality, processing integrity, and privacy.
What is the difference between SOC 2 Type I and Type II?
Type I reports on control design at a point in time. Type II tests operating effectiveness over a review period — typically six to twelve months — which is what most enterprise buyers request.
Who needs a SOC 2 report?
B2B SaaS, cloud infrastructure, and any vendor handling customer data for US enterprise buyers. Procurement teams often require SOC 2 before contract signature or renewal.